Zero-Day Vulnerability in Sophos Firewall Already Exploited Weeks Before Fix

It has been revealed that Chinese hackers used a zero-day exploit against a critical security vulnerability in Sophos Firewall to compromise a company and infiltrate a cloud-hosted web server operated by the victim.

Cybersecurity Delivered | Sophos Security Solutions
Get more value from your existing investments with security that integrates with your IT stack. Sophos delivers cybersecurity through a fully-managed MDR servic...

An authentication bypass vulnerability was discovered and disclosed in the Sophos Firewall user portal and webadmin that allows remote code execution. This vulnerability was reported by an external security researcher through the Sophos bug bounty program. This vulnerability has been fixed.

Although this security vulnerability has been fixed, it appears that various attackers continued to exploit this issue to bypass authentication and remotely execute arbitrary code at multiple organizations.

On March 25, Sophos released a security advisory on CVE-2022-1040, an authentication bypass vulnerability affecting the Sophos Firewall user portal and webadmin that can be exploited to remotely execute arbitrary code. The advisory announced that the vulnerability can be exploited to remotely execute arbitrary code.

Cybersecurity firm Volexity details an attack from a Chinese APT group it is tracking as DriftingCloud.

This attack used a zero-day exploit to compromise the firewall and install a web shell backdoor and malware to allow entry into external systems outside the network protected by the Sophos Firewall.

At the time Volexity began its investigation, it was clear that the attack was still active and that there were sophisticated attackers who had made efforts to avoid detection.

At first glance, this may appear to be a brute force login, not related to a backdoor. The only things in the log file that looked out of the ordinary were the referrer value and the response status code.

Getting access to the web server

Volexity has discovered a more malicious activity, separate from the web shell, that ensures persistence and allows attackers to further their attacks. Create a VPN user account and associate a certificate pair with the firewall for legitimate remote network accessWrite “” to “/conf/certificate/”. The “” executes a malicious command that downloads the binary, executes it, and then removes it from disk

According to the researchers, access to the Sophos Firewall was the first step in the attack, which allowed for man-in-the-middle (MitM) activity by way of modifying the DNS response of a specific website controlled by the victim company.

This allowed the attacker to intercept user credentials and session cookies from administrative access to the website’s content management system (CMS)

The attempt appears to have succeeded because the attacker used the stolen session cookie to access the CMS administration page and install the file manager plugin (upload, download, delete, edit) to handle files on the website.

When accessing the web server, DriftingCloud installs three publicly available malware families for remote access: PupyRAT, Pantegana, and Sliver.

Detect similar attacks

Volexity assesses that DriftingCloud is either sophisticated enough to develop zero-day vulnerabilities or has sufficient funds to purchase them.

Sophos is providing a fix that automatically addresses CVE-2022-1040, as well as mitigations to ensure that organizations using its firewalls are not exploited for this vulnerability.

To identify similar attacks, Volexity recommends implementing a network security monitoring mechanism that detects and logs traffic from gateway devices.

They also recommend using the auditd tool on Unix-based servers to facilitate infringement investigations.

auditd(8): Audit daemon - Linux man page
auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ...

Volexity also publishes a set of YARA rules that can flag suspicious activity from this type of attack.